Hi everyone,

I'm still playing around with the analyzer, and wanted to have a look at 
loop handling.
I'm using a build from /trunk/ branch (/20230309/).

Here is my analyzed code:

'''
1| #include <stdlib.h>
2| int main(void) {
3|    void * ptr = malloc(sizeof(int));
4|    for (int i = 0; i < 10; i++) {
5|        if (i == 5) free(ptr);
6|    }
7|}
'''

And here, the malloc-sm is reporting a double-free on line 5 with a 
quite confusing output:

'''
./test.c: In function ‘main’:
./test.c:5:21: warning: double-‘free’ of ‘ptr’ [CWE-415] 
[-Wanalyzer-double-free]
     5 |         if (i == 5) free(ptr);
        |                         ^~~~~~~~~
   ‘main’: events 1-13
     |
     |   3 |     void * ptr = malloc(sizeof(int));
     |      |                        ^~~~~~~~~~~~~~~~~~~
     |      |                        |
     |      |                        (1) allocated here
     |   4 |     for (int i = 0; i < 10; i++) {
     |      |                         ~~~~  ~~~
     |      |                         |            |
     |      |                         |            (5) ...to here
     |      |                         (2) following ‘true’ branch (when 
‘i <= 9’)...
     |      |                         (6) following ‘true’ branch (when 
‘i <= 9’)...
     |      |                         (9) following ‘true’ branch (when 
‘i <= 9’)...
     |   5 |         if (i == 5) free(ptr);
     |      |            ~           ~~~~~
     |      |            |             |
     |      |            |             (8) first ‘free’ here
     |      |            |             (12) ...to here
     |      |            |             (13) second ‘free’ here; first 
‘free’ was at (8)
     |      |            (3) ...to here
     |      |            (4) following ‘false’ branch (when ‘i != 5’)...
     |      |            (7) ...to here
     |      |            (10) ...to here
     |      |            (11) following ‘true’ branch (when ‘i == 5’)...
     |
'''

So, I'm guessing that this false positive is due to how the analyzer is 
handling loops.
Which lead to my question: how are loops handled by the analyzer?

Thanks for your time,

Pierrick